Groups | Search | Server Info | Login | Register
Groups > comp.protocols.kerberos > #5393
| Path | csiph.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail |
|---|---|
| From | Michael B Allen <ioplex@gmail.com> |
| Newsgroups | comp.protocols.kerberos |
| Subject | Re: AS-REP |
| Date | Fri, 7 Mar 2025 08:20:51 -0500 |
| Organization | TNet Consulting |
| Lines | 31 |
| Message-ID | <mailman.170.1741353671.2322.kerberos@mit.edu> (permalink) |
| References | <422792771.640057.1741317941288.ref@mail.yahoo.com> <422792771.640057.1741317941288@mail.yahoo.com> <CAGMFw4gn+uRti94aZkZ9GNo8P7a0WHN081shwd3Yj=4XMx1zmg@mail.gmail.com> |
| MIME-Version | 1.0 |
| Content-Type | text/plain; charset="UTF-8" |
| Content-Transfer-Encoding | quoted-printable |
| Injection-Info | tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50"; logging-data="30786"; mail-complaints-to="newsmaster@tnetconsulting.net" |
| Cc | "kerberos@mit.edu" <kerberos@mit.edu> |
| To | Jim Shi <hjshi@yahoo.com> |
| DKIM-Filter | OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid) |
| Authentication-Results | mailman.mit.edu; dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-mitprod-onmicrosoft-com header.b=t1823x+7; dkim=pass (2048-bit key, unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=nDCZf8n9 |
| ARC-Seal | i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=aTwpQtjyzLRJa9XR6pjPx6HdLPHqU4d/3SUIxG6iNF4hHZCssWfxXh1vY8j/USTWYGO9fxDjdfMqVG3ZlyxXDBaw3ldNs224EJOod5l2vEjdCGCTyhe4PHAdN5LvQJddYKiZJ+eZ/eaWBAltLute58v4x8MJRZu1bWvEeM6Ci3R2Tk6cAcMMDZGljzvl/SNuh2Ry0brEsvbQgNUEIZdsa7Wvgra2JENcmJtlNNXodC9+29z/dhHDCjX2fG9QME88UERORoxAn3rJon0PQfNmjxmX+aGVFkQ6fh099rG0oH72F4/Sy/MYa/VrUrROPWnjPWWW6i/q3k48UjG6bIjANg== |
| ARC-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dwHndfvuU15FRNc96eKa9ZHqtSWGbalI5143dXc8t8g=; b=dcDB12ZdCnGsZ3FvOZ5Ad5RNynZE3LuTzh3ZgO3ibQaAZOO4d+PTiDXzRa1BUPRCuw/aFOEbjVz93T6qxU5AOQXtJ7z+OBi19ftplQSyjtbw6GQWV5WLQpWrDCT78delkN9XYYIA6ewl3TboqTUV5L9kHpw4WtQ58LRhHpPgIzk+cfhnFsLwYj+dW0BtAIGpV0XeOpIT+PBW2C48CHWDs5wuXpGTF09UjpmSue+U7XQyAl6DMSvVtymsmOuSnuH7dI8jINphkniv+S/brlq1GG2x/cUdnU56BmW0gqwqSc3CDKSZfrc5I2m755Y00bKR7oocVfaMSvCEgv6bIWo3sQ== |
| ARC-Authentication-Results | i=1; mx.microsoft.com 1; spf=pass (sender ip is 2a00:1450:4864:20::634) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass (p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass (signature was verified) header.d=gmail.com; arc=none (0) |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dwHndfvuU15FRNc96eKa9ZHqtSWGbalI5143dXc8t8g=; b=t1823x+773wLqa2pECZF4If3CAohCVxtvNsQs9if+xYmFGaja0RxERTMlL7D9f16QBxEFIYI+M5aY1YT/R1GyCVraKBAOBFhDzfuIuBV0O6kDI7qLrBRmo3jHAPaqzG5gjYxAvxV3NUZ3Y+QZk+g3B9eNhOscFwUwZDhiPh2RNQ= |
| Authentication-Results | spf=pass (sender IP is 2a00:1450:4864:20::634) smtp.mailfrom=gmail.com; dkim=pass (signature was verified) header.d=gmail.com;dmarc=pass action=none header.from=gmail.com; |
| Received-SPF | Pass (protection.outlook.com: domain of gmail.com designates 2a00:1450:4864:20::634 as permitted sender) receiver=protection.outlook.com; client-ip=2a00:1450:4864:20::634; helo=mail-ej1-x634.google.com; pr=C |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741353663; x=1741958463; darn=mit.edu; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=dwHndfvuU15FRNc96eKa9ZHqtSWGbalI5143dXc8t8g=; b=nDCZf8n9m3bLmdCxlbmN+RlJoV8UZSEZmZeIoJfHG2AooNHY+aFLnruojzHauDUqhp SYOmgtXJqVAuY0lEupB+fqlS9caScUs8M0+bwntrPZbNfA4l4ISocja4iOm03TX7HBKA lu0DsVpMqhnKBx6YAr2f5c66sSf//HZ367XrjN+4uY8eRp7WDmi4U/bGzt3Kuo3zvLWf wPcq9YnJS3eEnlaTJnGHTTCgxuAQRN2ZbYEilIjbtiBnJWKgFcJj/ydunI4ucA6/bHER d1t34BCnS5u4YMbaA666/2SQmuwzAB2eklSouv7losa/f4+D73S5tSWvQ6c6uQeHbwMu z3ww== |
| X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741353663; x=1741958463; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dwHndfvuU15FRNc96eKa9ZHqtSWGbalI5143dXc8t8g=; b=okg8QIr+SKzHvid6F+Ij1fuZf6/s2IIN0WKIdDf2lJEKIc/pkgD6igB2lXjoDPHusL lakwfcLLu7skahhJMVAtmpkO2iILtrLEqXGr9o6/P6Sv0JlvapBlH3RQemStvypyzxaC FF0FhQWxFjMPaZDGoGCczhYC5+MHf7N3/XaHpKFMfrkT979y9Yhtkro7FJGONQ4AJhwr VMQNdBHMBe17cWFKm8EM2Cusl0L03jXIV1zbjtlOlX2WT2ojQXpd+nKhx6KmiCbxYZZT cYR6RKar3UkUkK+qnckdLeHoh23V6I1bNzqwAiz5UBXQCrGrjBc3DitoVftC789fRPQf T1qQ== |
| X-Gm-Message-State | AOJu0YzLtCiOqg6acQwDhi6DY1i0JE7XQfILCc+3qdy8Rd3xCkWQoDBR wI65NZAEQ9Rhon5uj0/v+Vnq597qeliG4o16Onh2IlO/Z8Bvl5N1FnoF+obJcGaJCagUEt19Dzb JvTuPZeaEL/6obv5XR01uI2RgAo236A== |
| X-Gm-Gg | ASbGnctlijSp/qxkQC6AK5NtWzn4th7/BJi7y89eiKEOM8taUe4ClaBfC+2t7+/2Pli Vcq4e0mDlwywUGN9mlkHYQIH8ybAyyiILHp7zqONP713ueBAMOmF1qUfspBR7R4lGgIiuFg9w9c zg4eFUCQGDzewWxeafyjQ8+Cu8Jw== |
| X-Google-Smtp-Source | AGHT+IEDgbvVPoQ9fvVTL2DdftNiYsmPLkNlpqR+TknffAKJgvukiJ5Zov4T49A5Zb8p+srIjvkF25/e8Yg8R4Lvg0Y= |
| X-Received | by 2002:a17:906:6a1b:b0:abf:4892:b6ea with SMTP id a640c23a62f3a-ac252b35b39mr316467966b.25.1741353663105; Fri, 07 Mar 2025 05:21:03 -0800 (PST) |
| In-Reply-To | <422792771.640057.1741317941288@mail.yahoo.com> |
| X-Gm-Features | AQ5f1Joo3XsG4TryWjS9TKyD0P5Q9UOfqyD7PCMk7XjbWdiahjAHlLhhrPdpCds |
| X-EOPAttributedMessage | 0 |
| X-EOPTenantAttributedMessage | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0 |
| X-MS-PublicTrafficType | |
| X-MS-TrafficTypeDiagnostic | BN1PEPF00004688:EE_|BY1PR01MB8710:EE_ |
| X-MS-Office365-Filtering-Correlation-Id | a4d38d8c-988e-4cef-a4a1-08dd5d7ae9d3 |
| X-LD-Processed | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr |
| X-MS-Exchange-AtpMessageProperties | SA |
| X-MS-Exchange-SenderADCheck | 0 |
| X-MS-Exchange-AntiSpam-Relay | 0 |
| X-Microsoft-Antispam | BCL:0; ARA:13230040|9140799003|48200799018|61400799027|7093399012|376014|13003099007|8096899003; |
| X-Microsoft-Antispam-Message-Info | psLRsKRU2U6ZtdYHsTe9TEAF9TKPP9hCcHztUyfqHeOJELu5VAsIvJZv5S6JI/CE0Z59mp7Ukhi443HmZH7j9/Rc/x+mQfr5JEXKl+0cMnOPeG/FfRAOq1nvSxSF4rqoikt6vzHIYxOBY2eeWPkobwLYjdBW0kcjL6Y1SCij5X1YS29HEsPPNiTMst/YyrV0zEoqYpwmTbWrbohKkqJFTs5+dPrhDEzDJj+TWIYi9JlA7/ZkxbIL6zvMv5sCVYwS5J49JFygOwXho9+kp9O5rJ/aG+vOtgPzVlFj0DerO3jp5kr6vzQ7rZ6/3Qn3RUq113hXqe9PtLhY/akri8cxsfWB5auGdaEyHjkcucGe/J+9YxmcpR0eh6xBiJXmNImfKqyWlA4vwA2kSIj9vJ+wrscqjWBM3aNFl2licb0+5CaRSWUKvTuegFx8cmUB27zEptk80Ir/JJ2ZW6FH8VhtNHXMVIp7n9KjQZJIUZqeUWeAxbzyg/jfYn0D3PPLimmx/dZj87eQNetJE7jnp/MB0tXaNuSYbfAd2hbByPsrH08dj4af/JMlO64DcOWtgKWtHr9W8Ch+76Z6lMTC3r15H6m/2sd2rPhaoxZt0oEHGu54WC259LL8OQyFAXLWyw8S/GX3RjIfINrD4x28OfwKyPcoMCHSDYa0Uz6Oa8e84tvyAvJfZoziSbohFmcGv+7k2HaaI6k8hh0twjU8HCmb3PDhus3HabbyK2bxKqtfioXM0L4FgVRiABo0N4Ym4JxYdt8BfABaEhQUHTcN/RDQdOZphY7N3Fs06FtX5Wth35AA2IwhQsgU7wNwqHKlFu3lmFvnNyQtBaKHrqexpCDILDClvvZANpvgAxx2vtHL+7ASevL4XUXX5sO4wurJ1VHa086PIn1QiJcANRhor+KlrrzWFIuFfZvH04c5DfQoUlxsUgOEso0xEL4tABSvOOOaMQXfVPyOX0Ad4K8FUAmjrwBMUn7b7T0mzTYMuJ7JKTJoOc1C8RkXF4b9h+77vFmCGUTpfnAAc7anD2FZxG3z6+8vv1srifkbjora4F1RcrPsL1+oHXyFIlH+aAbujBJHFeb1XFNztoK+C1A0+5cFkUL85pWTslKtDRw2KaxLVI80zUUeOHunW/BCq41TqDRb/2eXzHn6Do2R8Ux8XUryX5fg1UeB9dWyeJv/lt5f6jDhj7u11jDRgK+sBbfUR1iFvQUup7mIvdInSOh7/cF/e7JAwZ51LSjAJR6YVl1z2mLWZo8wvKHpvX3dAt3/LKKUm119aADLTh33GqLxQvjfwZ9Vi322NESpyXT6bCy3oTzH8hSOqGLMxCOWGz8mXZ/P5/HqyfOglxoqt1a/5f8oB2wV87QI2VtECO65Rgi9haZlUnBnZf3WbkgNJNbTFIakPm6MPw+8B7IjXoKqSBjULirK+SBVkfftbCfvBjo9mAS2tEqNizok4jNqUgexaqQvQpirE9UDb3v1taCO67WDjw== |
| X-Forefront-Antispam-Report | CIP:2a00:1450:4864:20::634; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail-ej1-x634.google.com; PTR:mail-ej1-x634.google.com; CAT:NONE; SFS:(13230040)(9140799003)(48200799018)(61400799027)(7093399012)(376014)(13003099007)(8096899003); DIR:OUT; SFP:1102; |
| X-ExternalRecipientOutboundConnectors | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-Auto-Response-Suppress | DR, OOF, AutoReply |
| X-OriginatorOrg | mitprod.onmicrosoft.com |
| X-MS-Exchange-CrossTenant-OriginalArrivalTime | 07 Mar 2025 13:21:04.6677 (UTC) |
| X-MS-Exchange-CrossTenant-Network-Message-Id | a4d38d8c-988e-4cef-a4a1-08dd5d7ae9d3 |
| X-MS-Exchange-CrossTenant-Id | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-MS-Exchange-CrossTenant-AuthSource | BN1PEPF00004688.namprd05.prod.outlook.com |
| X-MS-Exchange-CrossTenant-AuthAs | Anonymous |
| X-MS-Exchange-CrossTenant-FromEntityHeader | Internet |
| X-MS-Exchange-Transport-CrossTenantHeadersStamped | BY1PR01MB8710 |
| X-Content-Filtered-By | Mailman/MimeDel 2.1.34 |
| X-BeenThere | kerberos@mit.edu |
| X-Mailman-Version | 2.1.34 |
| Precedence | list |
| List-Id | The Kerberos Authentication System Mailing List <kerberos.mit.edu> |
| List-Unsubscribe | <https://mailman.mit.edu/mailman/options/kerberos>, <mailto:kerberos-request@mit.edu?subject=unsubscribe> |
| List-Archive | <http://mailman.mit.edu/pipermail/kerberos/> |
| List-Post | <mailto:kerberos@mit.edu> |
| List-Help | <mailto:kerberos-request@mit.edu?subject=help> |
| List-Subscribe | <https://mailman.mit.edu/mailman/listinfo/kerberos>, <mailto:kerberos-request@mit.edu?subject=subscribe> |
| X-Mailman-Original-Message-ID | <CAGMFw4gn+uRti94aZkZ9GNo8P7a0WHN081shwd3Yj=4XMx1zmg@mail.gmail.com> |
| X-Mailman-Original-References | <422792771.640057.1741317941288.ref@mail.yahoo.com> <422792771.640057.1741317941288@mail.yahoo.com> |
| Xref | csiph.com comp.protocols.kerberos:5393 |
Show key headers only | View raw
On Thu, Mar 6, 2025 at 10:26 PM Jim Shi via Kerberos <kerberos@mit.edu> wrote: > Hi, is there easy way to check if AS-REP is valid or not?that is, is there > is tool or stand alone program to check? > I don't know about an existing tool but in theory an AS-REP is pretty self-contained which makes it "easy" relatively speaking. You just need the base key (like from a keytab) to decrypt it and thus validate it. But you would need a kerberos lib to help because it needs to generate a so-called DK key or derived key which is a non-trivial bit of code. Meaning it's not as simple as running it through AES-whatever. There is a nonce generated in the AS-REQ that's supposed to be checked but if you're just validating an AS-REQ I think it would be ok to ignore it since it's primary purpose is to mix-up the ciphertext so that the KDC can detect a replay and you're not a KDC. Knowing this, in theory you could probably make a tool in a 100 lines of python assuming there's a decent python kerberos lib out there. Mike -- Michael B Allen Java AD DS Integration https://www.ioplex.com/ <http://www.ioplex.com/>
Back to comp.protocols.kerberos | Previous | Next | Find similar
Re: AS-REP Michael B Allen <ioplex@gmail.com> - 2025-03-07 08:20 -0500
csiph-web